SELinux AVC denial?!

[BrillianceLin]

Hello every one. I tried to synchronize the time with internet clock. But I get this message from SELinux.

"SELinux is preventing ntpd (ntpd_t) "read write" unconfined_t."

It is a AVC denial. I wondering why. Can anyone tell me which module I should activate to allow system time to synchronize with internet?

[tdcrooks]

Whenever I get SELinux denials, I click on the SELinux logo that appears in the panel. Once there, I find some command that it lists to enter in order to not get the SELinux denial anymore. That usually does it when I retry whatever I was trying before that gave me the denial.

Anyone else do this?

[BrillianceLin]

Quote:

Originally Posted by tdcrooks

Whenever I get SELinux denials, I click on the SELinux logo that appears in the panel. Once there, I find some command that it lists to enter in order to not get the SELinux denial anymore. That usually does it when I retry whatever I was trying before that gave me the denial.

Anyone else do this?

Thanks for sharing your experience. But I do not think I quiet understand how to follow you solution. Cause when I click the icon, it will just show up the denial message and info about what had been denial and why. I could see any command there. Do you mind offer me bit more detail?

[domg472]

Hi,

Do you mind giving us a bit more details. I would for example like to have a look at the complete avc denial, not just the short version that you have provided.

Also i would like to know what you did that caused this to happen.

From the information that you have supplied my guess is that this is a "leaked file descriptor" issue, either caused by a bug in a program or by using a program in a way not recommended.

A solution for leaked file descriptor issues was posted just yesterday on the fedora-selinux mailing list, which is a great resource for solving selinux issues.

here is a quote (thanks dwalsh)

cat > kdeleaks.te << __eof
policy_module(kdeleaks, 1.0)

require {
type unconfined_t;
attribute domain;
class unix_stream_socket { read write };
}

#============= dhcpc_t ==============
dontaudit domain unconfined_t:unix_stream_socket { read write };

_eof
# make -f /usr/share/selinux/devel/Makefile
# semodule -i kdeleaks.pp

Here is the fedora-selinux mail list archive:

http://marc.info/?l=fedora-selinux-list&r=1&w=2

And here is the posting that discusses (what i think might be similar to ) your issue:

http://marc.info/?l=fedora-selinux-l...3728427238&w=2

hth,

[JohnVV]

in the denial message there is instructions .Most of the time it is something like running
" restorecon -v '/' " or something like that

if not please copy/paste the message here .

[BrillianceLin]

Quote:

Originally Posted by domg472

Hi,

Do you mind giving us a bit more details. I would for example like to have a look at the complete avc denial, not just the short version that you have provided.

Also i would like to know what you did that caused this to happen.

From the information that you have supplied my guess is that this is a "leaked file descriptor" issue, either caused by a bug in a program or by using a program in a way not recommended.

A solution for leaked file descriptor issues was posted just yesterday on the fedora-selinux mailing list, which is a great resource for solving selinux issues.

here is a quote (thanks dwalsh)

cat > kdeleaks.te << __eof
policy_module(kdeleaks, 1.0)

require {
type unconfined_t;
attribute domain;
class unix_stream_socket { read write };
}

#============= dhcpc_t ==============
dontaudit domain unconfined_t:unix_stream_socket { read write };

_eof
# make -f /usr/share/selinux/devel/Makefile
# semodule -i kdeleaks.pp

Here is the fedora-selinux mail list archive:

http://marc.info/?l=fedora-selinux-list&r=1&w=2

And here is the posting that discusses (what i think might be similar to ) your issue:

http://marc.info/?l=fedora-selinux-l...3728427238&w=2

hth,

Thanks for the info. I have not read your solution carefully yet. But I am going to post the detail out anyway.

"
SELinux is preventing ntpd (ntpd_t) "read write" unconfined_t.

detail: SELinux denied access requested by ntpd. It is not expected that this access is required by ntpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.

access permission(?): You can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package.

additional detail
source code(?):**unconfined_u:system_r:ntpd_t:s0
target code(?):**unconfined_u:unconfined_r:unconfined_t:s 0
target (?):**socket [ unix_stream_socket ]
souce:**ntpd
source directory:**/usr/sbin/ntpd
socket (?):**unknown
machine:**XXXX
souce RPM package:**ntp-4.2.4p6-1.fc10
target RPM package:*
RPM policy:**selinux-policy-3.5.13-46.fc10
activate Selinux:**True
policy type:**targeted
activat MLS:**True
Enforcing mode:**Enforcing
plugin name:**catchall
machine name:**XXXXX
platform:**Linux Lenovo-SR410A 2.6.27.19-170.2.35.fc10.i686 #1 SMP Mon Feb 23 13:21:22 EST 2009 i686 i686
warning count:**5
First occur:**2009,03,08 sun 01:10:21
Latest occur:**2009.03.09 Mon 08:13:59
local ID:**45d62d7b-813e-4ea3-be37-460ccef9f2e0
Line numember(?):*
*Original core(?) info:
node=Lenovo-SR410A type=AVC msg=audit(1236600839.981:74): avc: denied { read write } for pid=7452 comm="ntpd" path="socket:[303249]" dev=sockfs ino=303249 scontext=unconfined_u:system_r:ntpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket node=Lenovo-SR410A type=SYSCALL msg=audit(1236600839.981:74): arch=40000003 syscall=11 success=yes exit=0 a0=8363968 a1=8362f80 a2=8363ea0 a3=0 items=0 ppid=7451 pid=7452 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ntpd" exe="/usr/sbin/ntpd" subj=unconfined_u:system_r:ntpd_t:s0 key=(null)

"
Sorry for the modification. My OS had been localize. So, I have to translate those term into English. If it does not make sense I will tried to change the language orientation of the system, then do it again.

[BrillianceLin]

Quote:

Originally Posted by JohnVV

in the denial message there is instructions .Most of the time it is something like running
" restorecon -v '/' " or something like that

if not please copy/paste the message here .

Thanks for the reply. But I don't think it is running restorecon -v. I just tried to synchronize my clock with internet.....

[JohnVV]

Quote:

SELinux is preventing ntpd (ntpd_t) "read write" unconfined_t.

that is a SE permission error
in the SELinux Troubleshooter error message it should have stated a possible fix
having you run a command

Code:

su -
restorecon -v '/'
  -- or --
restorecon -v '/usr/sbin '

but i did not see that part of the error in your last post
---------- an example from my computer ( i still have not fixed this KDM error , seeing as everything works )

Quote:

Summary:

SELinux is preventing kdm (xdm_t) "search" to / (boot_t).

Detailed Description:

SELinux denied access requested by kdm. It is not expected that this access is
required by kdm and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /,

restorecon -v '/'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinu...fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:boot_t:s0
Target Objects / [ dir ]
Source kdm
Source Path /usr/bin/kdm
Port <Unknown>
Host newpc
Source RPM Packages kdebase-workspace-4.2.0-8.fc9
Target RPM Packages filesystem-2.4.13-1.fc9
Policy RPM selinux-policy-3.3.1-123.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name newpc
Platform Linux newpc 2.6.27.15-78.2.23.fc9.i686 #1 SMP Wed
Feb 11 23:53:07 EST 2009 i686 i686
Alert Count 2
First Seen Wed 04 Mar 2009 05:12:42 PM EST
Last Seen Wed 04 Mar 2009 05:15:15 PM EST
Local ID 17d168d4-2ee8-4df9-b758-817637d47872
Line Numbers

Raw Audit Messages

node=newpc type=AVC msg=audit(1236204915.97:135): avc: denied { search } for pid=2195 comm="kdm" name="/" dev=sdb6 ino=2 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:boot_t:s0 tclass=dir

node=newpc type=SYSCALL msg=audit(1236204915.97:135): arch=40000003 syscall=5 success=no exit=-13 a0=8065c6b a1=8000 a2=1b6 a3=0 items=0 ppid=1 pid=2195 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kdm" exe="/usr/bin/kdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

[BrillianceLin]

Quote:

Originally Posted by JohnVV

that is a SE permission error
in the SELinux Troubleshooter error message it should have stated a possible fix
having you run a command

Code:

su -
restorecon -v '/'
  -- or --
restorecon -v '/usr/sbin '

but i did not see that part of the error in your last post
---------- an example from my computer ( i still have not fixed this KDM error , seeing as everything works )

Thanks for the suggestion.
I have tried restorecon -v'/usr/sbin', but It does not work.

Yeah, the message you highlighted red is not there....
It is really not there.... I do not know why....

[domg472]

It is a leaked file descriptor. The following should fix your issue:

cat > kdeleaks.te << __eof
policy_module(kdeleaks, 1.0)

require {
type unconfined_t;
attribute domain;
class unix_stream_socket { read write };
}

#============= dhcpc_t ==============
dontaudit domain unconfined_t:unix_stream_socket { read write };

_eof
# make -f /usr/share/selinux/devel/Makefile
# semodule -i kdeleaks.pp

[BrillianceLin]

Quote:

Originally Posted by domg472

It is a leaked file descriptor. The following should fix your issue:

cat > kdeleaks.te << __eof
policy_module(kdeleaks, 1.0)

require {
type unconfined_t;
attribute domain;
class unix_stream_socket { read write };
}

#============= dhcpc_t ==============
dontaudit domain unconfined_t:unix_stream_socket { read write };

_eof
# make -f /usr/share/selinux/devel/Makefile
# semodule -i kdeleaks.pp

Thanks for the solution. But do you mind tell me where I should put the file with this script to? This is the first time I due with this problem. I have not learn the correct method to config the script....

[domg472]

1. create a dir where you will make the source policy:

mkdir ~/kdeleaks; cd ~/kdeleaks;

2. create a source policy file:

echo "policy_module(kdeleaks, 1.0)" > kdeleaks.te;
echo "require {" >> kdeleaks.te;
echo "type unconfined_t;" >> kdeleaks.te:
echo "attribute domain;" >> kdeleaks.te;
echo "class unix_stream_socket { read write };" >> kdeleaks.te;
echo "}" >> kdeleaks.te;
echo "dontaudit domain unconfined_t:unix_stream_socket { read write };" >> kdeleaks.te;

3. build the sourcepolicy file:

make -f /usr/share/selinux/devel/Makefile

4. install the binary policy file that it has created:

/usr/sbin/semodule -i kdeleaks.pp

(now we have installed a binary policy module to the system that says: don't bother me about KDE leaked file descriptors)

hth,

[BrillianceLin]

Quote:

Originally Posted by domg472

1. create a dir where you will make the source policy:

mkdir ~/kdeleaks; cd ~/kdeleaks;

2. create a source policy file:

echo "policy_module(kdeleaks, 1.0)" > kdeleaks.te;
echo "require {" >> kdeleaks.te;
echo "type unconfined_t;" >> kdeleaks.te:
echo "attribute domain;" >> kdeleaks.te;
echo "class unix_stream_socket { read write };" >> kdeleaks.te;
echo "}" >> kdeleaks.te;
echo "dontaudit domain unconfined_t:unix_stream_socket { read write };" >> kdeleaks.te;

3. build the sourcepolicy file:

make -f /usr/share/selinux/devel/Makefile

4. install the binary policy file that it has created:

/usr/sbin/semodule -i kdeleaks.pp

(now we have installed a binary policy module to the system that says: don't bother me about KDE leaked file descriptors)

hth,

Thanks, it do the trick. But I can not find the directory "kdeleaks" any where in the place I make it. Is it been remove after I install the policy? So the firewall policies are different btw KDE and Gnome?

[domg472]

cd ~/kdeleaks; pwd;

does this help?

This policy is not kde specific. But the problem is kde specific i believe.

Kde leaks file descriptors

[BrillianceLin]

Quote:

Originally Posted by domg472

cd ~/kdeleaks; pwd;

does this help?

This policy is not kde specific. But the problem is kde specific i believe.

Kde leaks file descriptors

Thanks for tip, I can go into it in the terminal. But I can not find it by ls. And I think I asked the question in a wrong way. Cause the directory is ~. So, I think I should asked how do I find this directory (~)....

Talking about KDE leak file description. That could be strange. Cause I am running Gnome. And I did not put KDE on the system at all.

But anyway, the problem goes away, and that is all I need to happen. So, thanks again.